Security Incidents mailing list archives

Re: Weird scan on port 1214

From: Vangelis Haniotakis <haniotak () ucnet uoc gr>
Date: Fri, 29 Jun 2001 19:54:01 +0300 (EET DST)

On Fri, 29 Jun 2001, Greg A. Woods wrote:

[ On Thursday, June 28, 2001 at 22:17:54 (+0300), Vangelis Haniotakis wrote: ]

Subject: Weird scan on port 1214

 Now, port 1214 is reserved for what is called  "Intelligent
Communications Protocol" on tcp and KAZAA on udp. I don't know what the
first one is, I do know that Kazaa is a file sharing thingy though.


KAZAA is really just HTTP on a "private" port.  You can connect to it
with any HTTP browser and get more or less meaningful results.


 Thanks! This information should come in handy. Unfortunately (or
thankfully...) the offending box is off the net at the moment, probably
shut down for the weekend.

 The small packet count reminds one of a vulnerability scan. Has there
been any vulnerability known re: kazaa (the most probable target)?


It's more likely they're just scanning for KAZAA servers.

One of my clients received a copyright infringement notification from
the Motion Picture Association Worldwide Anti-Piracy group the other day
stating that such a client was running on a customer's machine and that
it contained copyrighted materials.

Whether your "scans" are from the likes of the MPA, or just from those
trying to find files, or if there's a vulnerability in KAZAA and
someone's trying to find targets, is anyone's guess at this point.

What source address(es) did those connections appear to have come from?


 Well, *our* host was initiating lots of connections to the outside world,
that was the problem here. It could be and probably is "legitimate" KAZAA
traffic - in that case, a phone call to the department admin would help.
But I wanted to gather up some more info before shutting down a faculty
member's computer.

 It's the first time we have had trouble with KAZAA, gnutella and napster
we know how to detect - mostly checking for reeeeally big transfers :)

 In any case, thanks for the suggestions and for sharing your run in with
the MPA.

--
Vangelis Haniotakis - Network & Communications Centre, University of Crete



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Weird scan on port 1214 Vangelis Haniotakis (Jun 29)
- Re: Weird scan on port 1214 Nathan W. Labadie (Jun 29)
- Re: Weird scan on port 1214 Greg A. Woods (Jun 30)
  - Re: Weird scan on port 1214 Vangelis Haniotakis (Jun 30)
- <Possible follow-ups>
- Re: Weird scan on port 1214 Matt Scarborough (Jun 30)